[Bug] Query for rule "Net command via SYSTEM account" is incorrect

[jdixon-86]

Describe the bug The default query for the SIEM rule "Net command via SYSTEM account" appears to be incorrect.

To Reproduce Default query:

process where event.type in ("start", "process_started") and
(process.Ext.token.integrity_level_name : "System" or
winlog.event_data.IntegrityLevel : "System") and
process.name : "whoami.exe" or
(process.name : "net1.exe" and not process.parent.name : "net.exe")

Expected behavior Expected to return results on all process starts, ran by SYSTEM, that executed net1.exe without the parent process being net.exe. However, it is returning on process exited events because it is executing on just (process.name : "net1.exe" and not process.parent.name : "net.exe")

Screenshots N/A

Desktop (please complete the following information): N/A

Additional context The actual query appears it should be (see bold characters for changes):

process where event.type in ("start", "process_started") and
(process.Ext.token.integrity_level_name : "System" or
winlog.event_data.IntegrityLevel : "System") and
**(**process.name : "whoami.exe" or
(process.name : "net1.exe" and not process.parent.name : "net.exe")**)**

Ticket Elastic support ticket: #00932534

[w0rk3r]

Hey @KnowMoreIT, thanks for the issue. The following PR #1912 was created to fix this one, applying your suggestions plus a rename to reflect better the query. Let me know if any adjustments are needed, thanks!

[jdixon-86]

@w0rk3r I'm not sure the new name best describes what it is doing. I think something like "NET1/WhoAmI Process Discovery Command via SYSTEM Account".

It is essentially looking for any processes started by SYSTEM that launched WhoAmI.exe OR (Net1.exe without the parent being Net.exe)

[w0rk3r]

Yeah, but the new name reflects the account discovery, which is the outcome of executing both whoami and net utilities, as it does not look only for net execution, and we can further expand it with other discovery-related activity in the future.